Can you please send the unredacted content of request.txt to my address?
If not, then please at least send me the content of traffic file which you
can obtain by just appending the "-t traffic.txt" to the regular sqlmap's
run.
Bye
On Tue, Apr 28, 2015 at 2:10 PM, Alistair Johnson <amcljohn...@gmail.com>
wrote:
> Thanks for the quick reply.
>
> The contents of the request file are as follows:
>
> GET /help/UserGuide.aspx?Sec=PackageSelection HTTP/1.1
> Host: <redacted>
> Accept: */*
> Accept-Language: en
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
> x64; Trident/5.0)
> Connection: close
> Referer: <redacted>
> Cookie: <redacted>
>
> I've redacted some of the details as it's not appropriate to draw
> attention to an internet facing application's SQLi vulnerability.
>
> When providing the request file as part of the following command:
> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> 'industries' -v 1
>
> sqlmap executes as normal but cannot identify (and therefore cannot
> exploit) the boolean-based blind vulnerability which I've verified
> manually.
>
> Thanks again,
>
> Al.
>
>
> On Tue, Apr 28, 2015 at 9:59 PM, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
> > And what is the content of request file?
> >
> > Bye
> >
> > On Tue, Apr 28, 2015 at 1:03 PM, Alistair Johnson <amcljohn...@gmail.com
> >
> > wrote:
> >>
> >> Hi sqlmappers,
> >>
> >> I'm a fairly experienced user of sqlmap having used it extensively in
> >> the past. I came across what appeared to pretty typical boolean-based
> >> blind SQLi in an application I'm (legally) testing. However, for the
> >> first time, I'm unable to get sqlmap to recognise the parameter as
> >> vulnerable to exploit it further. And as we know, manually exploiting
> >> blind SQLi is cumbersome to say the least.
> >>
> >> Here is a summary of the requests i've made to manually confirm the
> >> vulnerability.
> >>
> >> /help/UserGuide.aspx?Sec=PackageSelection (returns response A)
> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='1 (returns response
> A)
> >> /help/UserGuide.aspx?Sec=PackageSelection'+and+'1'='2 (returns response
> B)
> >>
> >> I've tried various sqlmap flags and thought the following command
> >> would give me the best chance of success:
> >>
> >> sqlmap -r '<request file>' -p 'Sec' --dbms 'Microsoft SQL Server'
> >> --level=4 --proxy=http://127.0.0.1:8080 --technique=B --string
> >> 'industries' -v 1
> >>
> >> Note: the string 'industries' is text that appears in response A but
> >> not response B.
> >>
> >> I've looked at the requests that sqlmap is sending in the background
> >> (proxied through burp). It appears that it's attempting to exploit
> >> this with the AND statement as it should but is not using single
> >> quotes as per my example above.
> >>
> >> I'd appreciate any insight. If this is a shortcoming in sqlmap, i'd be
> >> more than happy to contribute some time to improve it so it can
> >> identify injectable parameters such as these in the future.
> >>
> >> Thanks,
> >>
> >> Al.
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> _______________________________________________
> >> sqlmap-users mailing list
> >> sqlmap-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > Miroslav Stampar
> > http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
